Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Blocklists - IP, DNS, RBL and ads - Which do you use?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Blocklists - IP, DNS, RBL and ads - Which do you use?

I was going over some CSF settings that had some blocklists configured, and it prompted me to take a look at all of the blocklists I've been using over the years.

Which blocklists (or whitelists!) would you recommend?
For your, firewalls, DNS servers, Mail servers, Ad Blockers, AV definitions/signatures, etc...

Comments

  • Interested

  • Something I use on my mail server:

    #!/bin/bash
    ipset flush
    
    ipset create ipsum hash:net
    ipset create exim hash:net
    ipset create dnsbl hash:net
    
    rm /tmp/iplist.txt
    rm /tmp/exim.txt
    
    grep -i "authenticator failed" /var/log/exim4/mainlog | perl -pe 's/.*\[(\d+(\.\d+){3})\]:.*/$1/' >> /tmp/iplist.txt
    grep -i "SMTP command timeout" /var/log/exim4/mainlog | perl -pe 's/.*\[(\d+(\.\d+){3})\].*/$1/' >> /tmp/iplist.txt
    grep -i "no host name found for IP address" /var/log/exim4/mainlog | perl -pe 's/.*(\d+(\.\d+){3}).*/$1/' >> /tmp/iplist.txt
    grep -i "relay not permitted" /var/log/exim4/mainlog | perl -pe 's/.*\[(\d+(\.\d+){3})\].*/$1/' >> /tmp/iplist.txt
    grep -i "SMTP syntax error" /var/log/exim4/mainlog | perl -pe 's/.*\[(\d+(\.\d+){3})\].*/$1/' >> /tmp/iplist.txt
    grep -i "refused: too many connections" /var/log/exim4/mainlog | perl -pe 's/.*\[(\d+(\.\d+){3})\].*/$1/' >> /tmp/iplist.txt
    grep -i "rejected RCPT" /var/log/exim4/mainlog | grep -iv ':' | perl -pe 's/.*\[(\d+(\.\d+){3})\].*/$1/' >> /tmp/iplist.txt
    
    for ip in $(cat /tmp/exim.txt | grep -v "#" | cut -f 1); do ipset add exim $ip; done
    iptables -I INPUT -m set --match-set exim src -j DROP
    
    for ip in $(curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt 2>/dev/null | grep -v "#" | cut -f 1 | sort | uniq ); do ipset add ipsum $ip; done
    iptables -I INPUT -m set --match-set ipsum src -j DROP
    
    for ip in $(curl --compressed https://www.spamhaus.org/drop/drop.txt 2>/dev/null | sed 's/;.*$//g'); do ipset add dnsbl $ip; done
    for ip in $(curl --compressed https://www.spamhaus.org/drop/edrop.txt 2>/dev/null | sed 's/;.*$//g'); do ipset add dnsbl $ip; done
    iptables -I INPUT -m set --match-set dnsbl src -j DROP
    
    

    https://github.com/stamparm/ipsum

    Thanked by 1maverick
  • I like your approach @stoned !

    Thanked by 1stoned
  • @tjn said: Which blocklists (or whitelists!) would you recommend?

    None. It's foolish to delegate your filtering to someone else.

  • @UrDN said:
    None. It's foolish to delegate your filtering to someone else.

    Go on then, how are you doing your filtering?

  • Community maintained efforts are better than solo efforts. A collective database contributed to by many is a good idea in many cases, but not every case.

    Thanked by 1tjn
  • @tjn said:
    Go on then, how are you doing your filtering?

    Filtering what?

  • #!/bin/bash
    ipset flush
    
    ipset create ipsum hash:net
    ipset create exim hash:net
    ipset create dnsbl hash:net
    
    rm /tmp/iplist.txt
    rm /tmp/exim.txt
    
    grep -i "authenticator failed" /var/log/exim4/mainlog | perl -pe 's/.*\[(\d+(\.\d+){3})\]:.*/$1/' >> /tmp/iplist.txt
    grep -i "SMTP command timeout" /var/log/exim4/mainlog | perl -pe 's/.*\[(\d+(\.\d+){3})\].*/$1/' >> /tmp/iplist.txt
    grep -i "no host name found for IP address" /var/log/exim4/mainlog | perl -pe 's/.*(\d+(\.\d+){3}).*/$1/' >> /tmp/iplist.txt
    grep -i "relay not permitted" /var/log/exim4/mainlog | perl -pe 's/.*\[(\d+(\.\d+){3})\].*/$1/' >> /tmp/iplist.txt
    grep -i "SMTP syntax error" /var/log/exim4/mainlog | perl -pe 's/.*\[(\d+(\.\d+){3})\].*/$1/' >> /tmp/iplist.txt
    grep -i "refused: too many connections" /var/log/exim4/mainlog | perl -pe 's/.*\[(\d+(\.\d+){3})\].*/$1/' >> /tmp/iplist.txt
    grep -i "rejected RCPT" /var/log/exim4/mainlog | grep -iv ':' | perl -pe 's/.*\[(\d+(\.\d+){3})\].*/$1/' >> /tmp/iplist.txt
    
    
    sort -u /tmp/iplist.txt | grep -iv no | grep -v ':'> /tmp/exim.txt
    
    for ip in $(cat /tmp/exim.txt | grep -v "#" | cut -f 1); do ipset add exim $ip; done
    iptables -I INPUT -m set --match-set exim src -j DROP
    
    for ip in $(curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt 2>/dev/null | grep -v "#" | cut -f 1 | sort | uniq ); do ipset add ipsum $ip; done
    iptables -I INPUT -m set --match-set ipsum src -j DROP
    
    for ip in $(curl --compressed https://www.spamhaus.org/drop/drop.txt 2>/dev/null | sed 's/;.*$//g'); do ipset add dnsbl $ip; done
    for ip in $(curl --compressed https://www.spamhaus.org/drop/edrop.txt 2>/dev/null | sed 's/;.*$//g'); do ipset add dnsbl $ip; done
    iptables -I INPUT -m set --match-set dnsbl src -j DROP
    
    

    Somehow magically deleted this line while pasting earlir, sort -u /tmp/iplist.txt | grep -iv no | grep -v ':'> /tmp/exim.txt without which the script doesn't make sense.

    Enjoy

    I do similar custom filtering on all services just like this one, as well as general known bad actors from multiple reported bad actor lists.

Sign In or Register to comment.